How to Talk About EASM to the C-suite
It’s always the case in nearly every organisation that getting teams to talk can run into issues every now and then. In the case of CISOs and the C-Suite, this is nothing new but when it comes to today’s cybersecurity threats, being prepared and being able to get buy-in from people on the board level is business critical.
C-Suite executives are busy, keeping track of the staff, profits, projects and ensuring the smooth running of the organisation but, so are CISOs so getting people to talk needs to be a priority.
When it comes to External Attack Surface Management, the C-Suite needs to be better prepared after all, it is mainly humans and their interactions with systems that can cause the biggest security issues.
In this article we will look at the challenges for CISOs and the C-Suite, EASM and the C-Suite and how to talk about EASM with the C-Suite.
Challenges for CISOs and the C-Suite
There have been many challenges over recent years between the CISOs and the C-Suite team, the biggest being business readiness in the face of a global pandemic. The shift of people working from home and the challenges this brings to the cybersecurity teams cannot be understated.
There have been numerous reported cases of weakened cybersecurity systems because of this shift in working patterns and the increased vulnerability to expanding external attack surfaces has been noted by many CISO teams around the world.
On the other hand, the C-Suite has not only had to think about cybersecurity but the general running and operations of the business. From profitability or survival to worker wellbeing when people are either isolated or working in not the best conditions from home. It’s easy to see how both CISOs and the C-Suite can end up not seeing eye-to-eye when it comes to cybersecurity urgency.
This is why the need to gain the C-Suite’s trust and buy-in in order to effectively deal with ever increasing security threats is a challenge for CISOs.
With the emergence of EASM (External Attack Surface Management) as one of the new cybersecurity concerns, CISOs have to think differently about how they get C-Suite buy-in. Particularly, CISOs need to think about;
- CISOs need to understand c-suite and business priorities
- CISOs need to clearly communicate what’s needed - so that c-suite executives understand.
- C-suite don’t always fully understand complex technical presentations.
- C-suite are sometimes not up to date in their understanding of evolving cyber threats and risks to their businesses.
- C-suite might focus on the wrong metrics or data when considering cyber security.
We recently covered the challenges for CISOs and the C-suite in a recent blog. To read a more detailed guide, please click on the following link.
EASM and the C-Suite
It’s no wonder that with anything technological, things move fast and in cybersecurity that can be a bit of an understatement. EASM as recently referred to the consultant firm Gartner is the new major security threat.
An External Attack Surface (EXS) also known as a digital attack surface is the sum of an organisation’s internet-facing assets and the associated attack vectors which can be exploited during an attack. Every public facing asset your customers and employees access when interacting with your company online, whether owned and managed by your organisation or by a third party, makes up your online ecosystem. This represents your organisation’s external attack surface.
It’s no wonder that many organisations are completely unaware of how expansive their external attack surfaces are. You have to consider that external attack surfaces are primarily user based - where misconfigurations between downloaded software, new apps or tech and even where information is being accessed can cause the larger security threats.
This is why it is important that organisations are implementing and using EASM effectively. However, one of the biggest challenges is getting CISOs to communicate the use of EASM with urgency to the C-suite. This is something that must be resolved internally within the organisation in order to ensure protection from cyber attacks.
Therefore the need to get cyber-security buy-in from the c-suite - specifically to support EASM is a business necessity.
How to Talk About EASM with C-Suite and Board
Getting the CISOs to talk about EASM with the C-Suite and the board is essential as highlighted in the previous section. But how does the CISO get to discuss this new hot topic in cybersecurity without either alienating a busy board or even the main decision makers?
So what do CISOs need to remember before discussing EASM to the C-Suite?
- CISOs need to move beyond the technical aspects of their role to understand the c-suite priorities and assist with the overall organisation’s strategy.
- CISO’s need to gain trust from the board.
- C-suite / board needs to understand what the CISO is asking for and what’s required from them (the board).
- In many organisations the board/executive management team has no “comprehensive understanding of information security to fully evaluate cyber risks and preventive measures” - proposed by CISOs.
There are some specific things that CISOs can do to make the process of communication easier with the C-Suite, this includes;
Know Your Audience
It can always be intimidating for non-technical minds to have technical discussions with technical people. Knowing your audience is essential and CISOs need to be familiar with who they are talking to / communicating with and what their respective priorities might be.
By knowing the target audience (their technical familiarity, favoured communication styles, priorities etc.) presentations / messages can be more effective and elicit trust.
CISOs may want to start by getting an understanding to find out what the individuals already know about EASM and then tailoring their explanations to that audience.
Use Business Terminology
One of the fears for many non-technical people is jargon. Jargon can isolate audiences more than it can bring people together and CISOs have a bit of a reputation of using jargon in their presentations and even general discussions. This must be avoided at all costs - especially if you’re trying to get buy-in from individuals who have the power to approve changes.
Another important aspect of communication in this instance is the need to fully understand relevant metrics and how they relate to the business and bottom-line - and communicate these with c-suite and board using language they are familiar with.
Boards are more likely to respond to risk - and the need to show a return on their cybersecurity investment. There is a need for consistency and clarity without being over-complex.
Cite Relevant Security Breach Examples
One of the best ways to communicate with busy people is to talk about case studies of other busy people… What we mean is, discussing the issues faced by other businesses can put the C-Suite in a better position to understand the potential impact of what could happen to their own business if they are not prepared.
This is a really good way of conveying the importance of EASM without having to over-sell. If a competitor or a business that is admired by the C-Suite has been affected by the cybersecurity challenges from EASM, it’s better to get the C-Suite to see it from a business perspective.
Another potential way to add to this strategy is to talk about the cost impact of security breaches and this can help in persuading c-suite / board to allocate an adequate security budget.
Finally, thanks to the ever increasing use of personal devices and the move to WFH, explaining the risks involved in not paying adequate attention to EASM is a strategy that can reap benefits for getting organisational approval.
Clearly Describe What’s Required
When discussing these measures, it’s important to be very clear about what it is you want to achieve and what you are asking for and what to expect from the c-suite / board. Without clarity, the C-Suite can ignore the requests as they are aware of the issue but have nothing to guide them to a solution that can help them.
For example, a complex EASM objective can be broken down into prioritised requirements. Those which have the greatest impact being the highest priority. The lower the priority, the less attention it should be given in any discussion.
Discuss the benefits of making these changes, and relate any specific requirements with the metrics that will be affected. E.g. Risk levels or automation saving time etc.
It would be an understatement to say that CISOs and the C-Suite have found it easy to communicate when it comes business requirements - especially in cybersecurity over the last couple of years but, with a greater push to work from home for many businesses, getting CISOs and the C-Suite to have better communication is a business necessity.
With the emergence of EASM tools to help protect businesses from cyber attacks, CISOs must be able to better communicate with the C-Suite the benefits of looking after these issues and prioritise what is required in order to keep the organisation running smoothly.
If you are looking to get a better understanding of where your organisation’s cyber weaknesses lie, Bluefort’s Evolve IT Services can not only help you to get a much better understanding of these threats but also provide you with the solutions to protect your organisation in the long term.